<html><head><style id="outgoing-font-settings">#response_container_BBPPID{font-family: initial; font-size:initial; color: initial;}</style></head><body style="background-color: rgb(255, 255, 255); background-image: initial; line-height: initial;"><div id="response_container_BBPPID" style="outline:none;" dir="auto" contenteditable="false"> <div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">Run </div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><span style="font-family: initial; font-size: initial;">openssl version</span></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">The problem is openssl is too old for TLS 1.3 using Centos 7.</div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">You might want to read this:</div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">https://forums.centos.org/viewtopic.php?t=71848</div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">I have seen threads on building openssl so that you can support tls 1.3 on Centos 7. The trouble is once you build something it is your problem to update it. </div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">If you are on a cloud server you can create a centos 8 VPS and then migrate by transferring files via private IP. You can write a script of rsyncs. You will have to reinstall all the software again. </div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">I suggest sticking with TLS 1.2</div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div> <div id="blackberry_signature_BBPPID" name="BB10" dir="auto"> <div id="_signaturePlaceholder_BBPPID" name="BB10" dir="auto"></div> </div></div><div id="_original_msg_header_BBPPID" dir="auto"> <table id="_pHCWrapper_BBPPID" width="100%" style="border-spacing: 0px; display: table; outline: none;" contenteditable="false"><tbody><tr><td colspan="2" style="padding: initial; font-size: initial; text-align: initial;"> <div style="border-right: none; border-bottom: none; border-left: none; border-image: initial; border-top: 1pt solid rgb(181, 196, 223); padding: 3pt 0in 0in; font-family: Tahoma, "BB Alpha Sans", "Slate Pro"; font-size: 10pt;"> <div id="from"><b>From:</b> kaushalshriyan@gmail.com</div><div id="sent"><b>Sent:</b> March 11, 2020 8:49 PM</div><div id="to"><b>To:</b> nginx@nginx.org</div><div id="reply_to"><b>Reply-to:</b> nginx@nginx.org</div><div id="subject"><b>Subject:</b> TLS 1.3 not offered and downgraded to a weaker protocol</div></div></td></tr></tbody></table> <br> </div><!--start of _originalContent --><div name="BB10" dir="auto" style="background-image: initial; line-height: initial; outline: none;" contenteditable="false"><div dir="ltr"><div>Hi,<br></div><div><br></div>I am running nginx version: nginx/1.16.1 on CentOS Linux release 7.7.1908 (Core). I have configured <b>ssl_protocols TLSv1.2 TLSv1.3</b>; in /etc/nginx/<wbr><a href="http://nginx.conf">nginx.conf</a><wbr>. <div>#nginx -t<br>nginx: the configuration file /etc/nginx/<wbr><a href="http://nginx.conf">nginx.conf</a><wbr> syntax is ok<br>nginx: configuration file /etc/nginx/<wbr><a href="http://nginx.conf">nginx.conf</a><wbr> test is successful<br></div><div><br></div><div>Now when I am running <wbr><a href="http://testssl.sh">testssl.sh</a><wbr> (<a href="https://testssl.sh/">https://testssl.sh/</a>) which is a Testing TLS/SSL encryption tool, I see the below output </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left:1ex"> Testing protocols via sockets except NPN+ALPN<br> SSLv2 not offered (OK)<br> SSLv3 not offered (OK)<br> TLS 1 not offered<br> TLS 1.1 not offered<br> TLS 1.2 offered (OK)<br> <font color="#ff0000">TLS 1.3 not offered and downgraded to a weaker protocol<br></font> NPN/SPDY h2, http/1.1 (advertised)<br> ALPN/HTTP2 h2, http/1.1 (offered)</blockquote><div><br></div><div>Any clue regarding <font color="#000000">"TLS 1.3 not offered and downgraded to a weaker protocol" ? Please let me know if you need any additional information. Thanks in advance and I look forward to hearing from you.</font></div><div><font color="#000000"><br></font></div><div><font color="#000000">Best Regards,</font></div><div><font color="#000000"><br></font></div><div><font color="#000000">Kaushal</font></div></div>
<!--end of _originalContent --></div></body></html>